Severity
High
Short Description
Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Packages
View packages with this alert.Suggestion
Publish the git dependency to npm or a private package repository and consume it from there.
There are a number of security risks associated with using packages that have Git dependencies. Most notably, these are non-immutable dependencies. Dependencies fetched directly from remote Git URLs can be problematic because the tampered with after it's downloaded, potentially injecting malicious code into your project.
Additionally, using packages with git dependencies can create reproducibility issues and security vulnerabilities, as they bypass the typical vetting processes that are in place for packages published to official registries. This increases the risk of introducing malicious code or vulnerabilities, as the code in the repository might not have undergone the same scrutiny as versioned packages.
Git dependencies can also introduce other risks to stability, reliability, and compliance:
1. Lack of Version Control:
⠀2. Stability and Reliability Issues:
⠀3. Dependency Drift:
⠀4. Difficulty in Auditing:
When you get a Git dependency or GitHub dependency alert for one of your packages or updates, there are a few best practices to keep in mind.
It's also important to understand that there are a number of legitimate use cases for git dependencies in open source packages. They are often used as a way to give access to unreleased features or bug fixes, incorporate forks and custom modifications, testing an experimental feature branch, hosting private or proprietary code, or as part of a monorepo workflow.
Developers should be aware of the trade-offs and ensure they implement proper security measures to mitigate the risks when using packages with git dependencies.
Many Socket users elect to configure their Security Policies to Warn for the Git Dependency alert, but you can also make it more a more serious concern and Block these dependencies.
Here's an example of a package with this alert. It is considered a high severity alert in the supply chain risk category.
The alert links to package.json
where the Git repo is listed as a dependency:
Specific examples of Git dependency attacks in the wild are less commonly documented compared to other types of supply chain attacks. Although many high profile attacks have not directly reference a Git dependency in a package.json
, it is very common to see dependencies hosted on GitHub getting compromised.
For example, in 2018, the npm security team foiled a plot to steal cryptocurrency when the electron-native-notify npm package was compromised. An attacker gained access to the maintainer's GitHub account and injected malicious code into the electron-native-notify repository. The malicious code included a post-install script that collected and sent sensitive information to a remote server. The compromised version was published to npm, and projects depending on this package unknowingly included the malicious code.
Packages are flagged with this alert when they include dependencies that are sourced directly from a remote Git URL.
npm Documentation: Dependencies
package.json
file, emphasizing the benefits of using versioned packages for consistency and stability.Yarn Documentation: Selective Dependency Resolutions
NPM Documentation: Package Lock Files
package-lock.json
to ensure consistent dependency versions and avoid issues with Git-hosted dependencies.